Windows endpoints' vulnerabilities are not detected

[Sat Slamkhan]

Hello,

I have 3 agents connected to my Wazuh manager: 1st is on Windows Server 2022, wnd is Windows 10 Pro, and last is Windows 11 Pro. It detects the vulnerabilities of the 1s agent, but there is nothing in vulnerabilities page of other two agents.

I've checked the connections from agent to server by ports 1514, 1515 and 55000 - everything is okay.

Here is my ossec.conf from Wazuh Manager:

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>yes</enabled>
      <os>buster</os>
      <os>bullseye</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
      <enabled>yes</enabled>
      <os>amazon-linux</os>
      <os>amazon-linux-2</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- SUSE OS vulnerabilities -->
    <provider name="suse">
      <enabled>yes</enabled>
      <os>11-server</os>
      <os>11-desktop</os>
      <os>12-server</os>
      <os>12-desktop</os>
      <os>15-server</os>
      <os>15-desktop</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

My ossec.conf from Windows Agent (Windows 11 Pro) is in attached files.

[Sat Slamkhan]

I also did everything written in this blog post: https://wazuh.com/blog/using-wazuh-for-windows-vulnerability-detection/

up to the part "Exploring the outstanding vulnerabilities", because there were no vulnerabilities still. Also, I don't have Windows Updates as was shown in the post (see the screenshot in attachments):

[Stuti Gupta]

Hi Sat

Hope you are doing well today and thank you for using wazuh.To know the root cause of the issue can you please share the below mentioned details:

• Please share the ossec.log /var/ossec/log/ossec.log | grep vulnerability so we can see if the vulnerability detector is working fine or not
• Please replace no with yes <logall>yes</logall> <logall_json>yes</logall_json>, in the global section of ossec.conf.
  

Sometimes the vulnerability detector in windows takes time to scan the system please wait for a few hours.
Looking forward to your response. 

Regards,

[Sat Slamkhan]

I have attached screenshots of ```grep vulnerability /var/ossec/logs/ossec.log```
and replaced no with yes <logall>yes</logall> <logall_json>yes</logall_json>, in the global section of ossec.conf.

Also, I've added <hotfixes>yes</hotfixes> after <packages> in server's and agents' config files. After that I could see some vulnerabilities on the interface, but still not as I expected. On some agents there is written that there was a vulnerability scan, however no vulnerabilities are shown. So, it's either some vulnerabilities, or nothing. However it's written that scan took place. (I also attached screens of my vulnerability interface of some agents)

[Stuti Gupta]

Hi Sat, 
Sorry for the late reply 
Please make sure the agents are active and connected and Please share the ossec.log of an agent whose vulnerability scan has an issue.

Hope to hear from you soon
Regards,

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Duax9crcleQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3ae99b22-b062-4366-bd01-53420197171fn%40googlegroups.com.

[Sat Slamkhan]

Ok, look, I have 3 active agents right now. 1) Windows Server 2022 (server where Wazuh is set up); 2) Windows 11 (test1); 3) Windows 11 (test2).

First of all, vulnerability scan works perfectly fine with the first agent, from the very beginning. But I had this problem with my Windows agents.
I've tried to solve this problem when I only had only one agent - test1. I tried everything and it worked, however I didn't know what was the solution, so I started to work with test2. As I said, scan is written to be working, but the vulnerabilities are not shown. Now I will attach 2 ossec.conf files of test1 and test2.

[Stuti Gupta]

Please share the agent ossec.log, it is located at C:\Program Files (x86)\ossec-agent\ossec.log of agent whose vulnerability is not showing (in txt format)

[Sat Slamkhan]

Ok

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1e134788-24ae-4b6b-89ad-8d021b56b498n%40googlegroups.com.

[Sat Slamkhan]

[Stuti Gupta]

Hi.
Thanks for the logs and other information provided.
Your configuration file seems okay but there seems to be an error in the logs in Ossec (test.2)
Part of the error noticed was ERROR: Could not get message for (Application) which has to do with the Windows API on the Windows 11 system which is responsible for obtaining events from Windows logs. The event viewer needs to be checked as to why it can't forward Application related events to wazuh the link Troubleshoot event message not found could also be helpful.  Regarding the error messages you are getting, focusing on the error codes and comparing them with the Windows error codes, we can see that in the log file, the message could not be found (error code 15033). For that, you can also refer to https://github.com/wazuh/wazuh/issues/3114
Part of the error noticed in ossec test1. wazuh-agent: ERROR: Connection socket: An existing connection was forcibly closed by the remote host. (10054).  Please set the windows.debug=2  for windows in /var/ossec/etc/internal_options.conf and restart it in order to get more detailed information on the error. https://github.com/wazuh/wazuh/issues/19401

[Sat Slamkhan]

Ok, I didn't do anything yet, but I noticed today this picture (attachment). One vulnerability was detected on my test2 agent. Why and how this happened?

Also, can you please explain what should I do in order to solve problems with test2. I opened and read those two links, but did't understand what I m supposed to do.

[Sat Slamkhan]

Can you say what this can be? Could it be that Windows machine with that agent really didn't have any vulnerabilities?

[Sat Slamkhan]

excuse me?